# Copyright (c) 2013, The Linux Foundation. All rights reserved. # Not a Contribution. # # Copyright (C) 2012 The Android Open Source Project # # IMPORTANT: Do not create world writable files or directories. # This is a common source of Android security bugs. # import /init.environ.rc import /init.usb.rc import /init.${ro.hardware}.rc import /init.trace.rc import /init.carrier.rc import /init.container.rc on early-init # Set init and its forked children's oom_adj. write /proc/1/oom_adj -16 # Set the security context for the init process. # This should occur before anything else (e.g. ueventd) is started. setcon u:r:init:s0 start ueventd # Configure SEAndroid booleans and enforcing mode setsebool debugfs 1 # create mountpoints mkdir /mnt 0775 root system on init sysclktz 0 loglevel 3 # Vibetonz export VIBE_PIPE_PATH /dev/pipes mkdir /dev/pipes 0771 vibe vibe restorecon /dev/pipes # for audit message chown system system /proc/avc_msg chmod 0660 /proc/avc_msg # Backward compatibility symlink /system/etc /etc symlink /sys/kernel/debug /d # Right now vendor lives on the same filesystem as system, # but someday that may change. symlink /system/vendor /vendor # Create cgroup mount point for cpu accounting mkdir /acct mount cgroup none /acct cpuacct mkdir /acct/uid # Create cgroup mount point for memory mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 mkdir /sys/fs/cgroup/memory 0750 root system mount cgroup none /sys/fs/cgroup/memory memory write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 chown root system /sys/fs/cgroup/memory/tasks chmod 0660 /sys/fs/cgroup/memory/tasks mkdir /sys/fs/cgroup/memory/sw 0750 root system write /sys/fs/cgroup/memory/sw/memory.swappiness 100 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 chown root system /sys/fs/cgroup/memory/sw/tasks chmod 0660 /sys/fs/cgroup/memory/sw/tasks mkdir /system mkdir /data 0771 system system mkdir /cache 0770 system cache mkdir /config 0500 root root mkdir /efs 0771 system radio # See storage config details at http://source.android.com/tech/storage/ mkdir /mnt/shell 0750 shell shell mkdir /mnt/media_rw 0700 media_rw media_rw mkdir /storage 0751 root sdcard_r # Directory for putting things only root should see. mkdir /mnt/secure 0700 root root # Create private mountpoint so we can MS_MOVE from staging mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 # Directory for staging bindmounts mkdir /mnt/secure/staging 0700 root root restorecon -R /mnt/secure/staging # Directory-target for where the secure container # imagefile directory will be bind-mounted mkdir /mnt/secure/asec 0700 root root mount tmpfs tmpfs /mnt/secure/asec mode=0700,uid=0,gid=0 restorecon -R /mnt/secure/asec # Secure container public mount points. mkdir /mnt/asec 0700 root system mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 restorecon -R /mnt/asec # Filesystem image public mount points. mkdir /mnt/obb 0700 root system mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 restorecon -R /mnt/obb write /proc/sys/kernel/panic_on_oops 1 write /proc/sys/kernel/hung_task_timeout_secs 0 write /proc/cpu/alignment 4 write /proc/sys/kernel/sched_latency_ns 10000000 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 write /proc/sys/kernel/sched_compat_yield 1 write /proc/sys/kernel/sched_child_runs_first 0 write /proc/sys/kernel/randomize_va_space 2 write /proc/sys/kernel/kptr_restrict 2 write /proc/sys/kernel/dmesg_restrict 1 write /proc/sys/vm/mmap_min_addr 32768 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" write /proc/sys/kernel/sched_rt_runtime_us 950000 write /proc/sys/kernel/sched_rt_period_us 1000000 # Create cgroup mount points for process groups mkdir /dev/cpuctl mount cgroup none /dev/cpuctl cpu chown system system /dev/cpuctl chown system system /dev/cpuctl/tasks chmod 0660 /dev/cpuctl/tasks write /dev/cpuctl/cpu.shares 1024 write /dev/cpuctl/cpu.rt_runtime_us 950000 write /dev/cpuctl/cpu.rt_period_us 1000000 mkdir /dev/cpuctl/apps chown system system /dev/cpuctl/apps/tasks chmod 0666 /dev/cpuctl/apps/tasks write /dev/cpuctl/apps/cpu.shares 1024 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 mkdir /dev/cpuctl/apps/bg_non_interactive chown system system /dev/cpuctl/apps/bg_non_interactive/tasks chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks # 5.0 % write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 # qtaguid will limit access to specific data based on group memberships. # net_bw_acct grants impersonation of socket owners. # net_bw_stats grants access to other apps' detailed tagged-socket stats. chown root net_bw_acct /proc/net/xt_qtaguid/ctrl chown root net_bw_stats /proc/net/xt_qtaguid/stats # Allow everybody to read the xt_qtaguid resource tracking misc dev. # This is needed by any process that uses socket tagging. chmod 0644 /dev/xt_qtaguid # Create location for fs_mgr to store abbreviated output from filesystem # checker programs. mkdir /dev/fscklogs 0770 root system # To sync between sdcard & installd setprop installd.sdcard_manipulate_done 0 on post-fs # once everything is setup, no need to modify / mount rootfs rootfs / ro remount # mount shared so changes propagate into child namespaces mount rootfs rootfs / shared rec mount tmpfs tmpfs /mnt/secure private rec mount tmpfs tmpfs /mnt/secure/asec shared rec # We chown/chmod /cache again so because mount is run as root + defaults chown system cache /cache chmod 0770 /cache # We restorecon /cache in case the cache partition has been reset. restorecon /cache # This may have been created by the recovery system with odd permissions chown system cache /cache/recovery chmod 0770 /cache/recovery # This may have been created by the recovery system with the wrong context. restorecon /cache/recovery #change permissions on vmallocinfo so we can grab it from bugreports chown root log /proc/vmallocinfo chmod 0440 /proc/vmallocinfo chown root log /proc/slabinfo chmod 0440 /proc/slabinfo #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks chown root system /proc/kmsg chmod 0440 /proc/kmsg chown root system /proc/sysrq-trigger chmod 0220 /proc/sysrq-trigger chown system log /proc/last_kmsg chmod 0440 /proc/last_kmsg # create the lost+found directories, so as to enforce our permissions mkdir /cache/lost+found 0770 root root restorecon /cache/lost+found on post-fs-data # Reload SE Android Policy setprop selinux.reload_policy 1 # We chown/chmod /data again so because mount is run as root + defaults chown system system /data chmod 0771 /data # We restorecon /data in case the userdata partition has been reset. restorecon /data # Avoid predictable entropy pool. Carry over entropy from previous boot. copy /data/system/entropy.dat /dev/urandom # Create dump dir and collect dumps. # Do this before we mount cache so eventually we can use cache for # storing dumps on platforms which do not have a dedicated dump partition. mkdir /data/dontpanic 0750 root log # Collect apanic data, free resources and re-arm trigger copy /proc/apanic_console /data/dontpanic/apanic_console chown root log /data/dontpanic/apanic_console chmod 0640 /data/dontpanic/apanic_console copy /proc/apanic_threads /data/dontpanic/apanic_threads chown root log /data/dontpanic/apanic_threads chmod 0640 /data/dontpanic/apanic_threads write /proc/apanic_console 1 # create basic filesystem structure mkdir /data/misc 01771 system misc mkdir /data/misc/audit 02775 audit system mkdir /data/misc/adb 02750 system shell mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack mkdir /data/misc/bluetooth 0770 system system mkdir /data/misc/keystore 0700 keystore keystore mkdir /data/misc/keychain 0771 system system mkdir /data/misc/radio 0771 system radio mkdir /data/misc/sms 0770 system radio mkdir /data/misc/zoneinfo 0775 system system mkdir /data/misc/vpn 0770 system vpn mkdir /data/misc/systemkeys 0700 system system # give system access to wpa_supplicant.conf for backup and restore mkdir /data/misc/wifi 0770 wifi wifi chmod 0660 /data/misc/wifi/wpa_supplicant.conf mkdir /data/local 0751 root root mkdir /data/misc/media 0700 media media # icd check_icd chown system system /dev/icd chmod 0644 /dev/icd chown system system /dev/icdr chmod 0644 /dev/icdr chown system system /dev/tzic #SideSync chown system system /dev/android_ssusbcon chmod 0660 /dev/android_ssusbcon # For security reasons, /data/local/tmp should always be empty. # Do not place files or directories in /data/local/tmp mkdir /data/local/tmp 0771 shell shell mkdir /data/data 0771 system system mkdir /data/app-private 0771 system system mkdir /data/app-asec 0700 root root mkdir /data/app-lib 0771 system system mkdir /data/app 0771 system system mkdir /data/property 0700 root root mkdir /data/ssh 0750 root shell mkdir /data/ssh/empty 0700 root root mkdir /data/system 0775 system system mkdir /data/system/container 0700 system system restorecon -R /data/system # SA, System SW, SAMSUNG create log directory mkdir /data/log 0775 system log chown system log /data/log mkdir /data/anr 0775 system system chown system system /data/anr chmod 0775 /data/log chmod 0775 /data/anr restorecon /data/log restorecon /data/anr # create dalvik-cache, so as to enforce our permissions mkdir /data/dalvik-cache 0771 system system # create resource-cache and double-check the perms mkdir /data/resource-cache 0771 system system chown system system /data/resource-cache chmod 0771 /data/resource-cache # create the lost+found directories, so as to enforce our permissions mkdir /data/lost+found 0770 root root restorecon /data/lost+found # create directory for DRM plug-ins - give drm the read/write access to # the following directory. mkdir /data/drm 0770 drm drm # create directory for MediaDrm plug-ins - give drm the read/write access to # the following directory. mkdir /data/mediadrm 0770 mediadrm mediadrm # DRK permission mkdir /efs/prov_data 700 system system mkdir /efs/prov 0770 radio system chown radio system /efs/prov/libdevkm.lock chmod 0660 /efs/prov/libdevkm.lock #drm permission mkdir /efs/drm 0774 drm system #h2k permission chmod 0644 /efs/redata.bin chown radio radio /efs/h2k.dat chmod 0644 /efs/h2k.dat chown system system /efs/drm/h2k # [ SEC_MM_DRM # sdrm mkdir /efs/drm 0774 drm system mkdir /efs/drm/sdrm 0774 drm system mkdir /efs/drm/sdrm/data_agent 0774 drm system mkdir /efs/drm/playready 0775 drm system restorecon /efs/drm restorecon /efs/drm/sdrm restorecon /efs/drm/data_agent # DRM directory creation mkdir /system/etc/security/.drm 0775 chown root root /system/etc/security/.drm chmod 0775 /system/etc/security/.drm # Added for Playready DRM Support mkdir /data/data/.drm 0775 chown drm system /data/data/.drm chmod 0775 /data/data/.drm mkdir /data/data/.drm/.playready 0775 chown drm system /data/data/.drm/.playready chmod 0775 /data/data/.drm/.playready # Added drm folder to copy drm plugins mkdir /system/lib/drm 0775 chown root root /system/lib/drm chmod 0775 /system/lib/drm # DivX DRM mkdir /efs/.files 0775 mkdir /efs/.files/.dx1 0775 mkdir /efs/.files/.dm33 0775 mkdir /efs/.files/.mp301 0775 chown media system /efs/.files/.dx1 chown media system /efs/.files/.dm33 chown media system /efs/.files/.mp301 chmod 0775 /efs/.files/.dx1 chmod 0775 /efs/.files/.dm33 chmod 0775 /efs/.files/.mp301 restorecon -R /efs # ] # MTP device permission chmod 0660 /dev/usb_mtp_gadget chown system mtp /dev/usb_mtp_gadget mkdir /dev/socket/mtp 0770 system mtp # symlink to bugreport storage location symlink /data/data/com.android.shell/files/bugreports /data/bugreports # Separate location for storing security policy files on data mkdir /data/security 0700 system system mkdir /data/security/spota 0700 system system mkdir /data/security/booleans 0711 system system mkdir /data/security/good 0700 system system mkdir /data/security/stig 0700 system system mkdir /data/security/booleans 0711 system system mkdir /data/security/mycontainer 0700 system system # If there is no fs-post-data action in the init..rc file, you # must uncomment this line, otherwise encrypted filesystems # won't work. # Set indication (checked by vold) that we have finished this action #setprop vold.post_fs_data_done 1 # Permissions for Camera chown system radio /sys/class/camera/rear/rear_camfw chown system radio /sys/class/camera/rear/rear_camtype chown system media_rw /sys/class/camera/rear/rear_checkApp chown system radio /sys/class/camera/flash/rear_flash chmod 664 /sys/class/camera/flash/rear_flash #D2 Assistive Light - Start chown system radio /sys/class/camera/rear/rear_flash chmod 664 /sys/class/camera/rear/rear_flash #D2 Assistive Light - End chown system radio /sys/class/camera/front/front_camfw chown system radio /sys/class/camera/front/front_camtype # Permissions for svc led chown system system /sys/class/sec/led/led_r chown system system /sys/class/sec/led/led_g chown system system /sys/class/sec/led/led_b chown system system /sys/class/sec/led/led_pattern chown system system /sys/class/sec/led/led_blink chown system system /sys/class/sec/led/led_lowpower on boot # reset_reason chown system system /proc/reset_reason chmod 0600 /proc/reset_reason # Mobicore mkdir /data/app/mcRegistry 0775 system system # Vibetonz chmod 0660 /dev/tspdrv chown vibe vibe /dev/tspdrv # volume up/down key chown radio system /sys/class/sec/sec_key/wakeup_keys # basic network init ifup lo hostname localhost domainname localdomain # set RLIMIT_NICE to allow priorities from 19 to -20 setrlimit 13 40 40 # Memory management. Basic kernel parameters, and allow the high # level system server to be able to adjust the kernel OOM driver # parameters to match how it is managing things. write /proc/sys/vm/overcommit_memory 1 write /proc/sys/vm/min_free_order_shift 4 chown root system /sys/module/lowmemorykiller/parameters/adj chmod 0664 /sys/module/lowmemorykiller/parameters/adj chown root system /sys/module/lowmemorykiller/parameters/minfree chmod 0664 /sys/module/lowmemorykiller/parameters/minfree # Tweak background writeout write /proc/sys/vm/dirty_expire_centisecs 200 write /proc/sys/vm/dirty_background_ratio 5 # Permissions for System Server and daemons. chown radio system /sys/android_power/state chown radio system /sys/android_power/request_state chown radio system /sys/android_power/acquire_full_wake_lock chown radio system /sys/android_power/acquire_partial_wake_lock chown radio system /sys/android_power/release_wake_lock chown system system /sys/power/autosleep chown system system /sys/power/state chown system system /sys/power/wakeup_count chown radio system /sys/power/wake_lock chown radio system /sys/power/wake_unlock chmod 0660 /sys/power/state chmod 0660 /sys/power/wake_lock chmod 0660 /sys/power/wake_unlock # SEC DVFS sysfs node chown radio system /sys/power/cpufreq_max_limit chown radio system /sys/power/cpufreq_min_limit chown radio system /sys/power/cpufreq_table chown radio system /sys/class/kgsl/kgsl-3d0/max_pwrlevel chown radio system /sys/class/kgsl/kgsl-3d0/min_pwrlevel chown radio system /sys/class/kgsl/kgsl-3d0/gpu_available_frequencies chown radio system /sys/class/kgsl/kgsl-3d0/fps chown radio system /sys/class/kgsl/kgsl-3d0/max_fps chmod 664 /sys/power/cpufreq_max_limit chmod 664 /sys/power/cpufreq_min_limit chmod 664 /sys/power/cpufreq_table chmod 664 /sys/class/kgsl/kgsl-3d0/max_pwrlevel chmod 664 /sys/class/kgsl/kgsl-3d0/min_pwrlevel chmod 664 /sys/class/kgsl/kgsl-3d0/gpu_available_frequencies chown radio system /sys/devices/system/cpu/kernel_max chmod 664 /sys/devices/system/cpu/kernel_max chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay chown system system /sys/devices/system/cpu/cpufreq/interactive/boost chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy # Assume SMP uses shared cpufreq policy for all CPUs chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq # MDNIE chown system system /sys/class/mdnie/mdnie/lcdtype chown system system /sys/class/mdnie/mdnie/lcd_power chown system media_rw /sys/class/mdnie/mdnie/scenario chown system system /sys/class/mdnie/mdnie/tuning chown system media_rw /sys/class/mdnie/mdnie/outdoor chown system system /sys/class/mdnie/mdnie/mdnie_temp chown system system /sys/class/mdnie/mdnie/mode chown system system /sys/class/mdnie/mdnie/negative chown system media_rw /sys/class/mdnie/mdnie/playspeed chown system system /sys/class/lcd/panel/window_type chown radio system /sys/class/lcd/panel/power_reduce chown system media_rw /sys/class/mdnie/mdnie/accessibility chown system system /sys/class/mdnie/mdnie/cabc chown radio system /sys/class/lcd/panel/siop_enable chown radio system /sys/class/lcd/panel/temperature # Adjust YUV to RGB Conversion chown system media_rw /sys/class/graphics/fb0/csc_cfg chmod 0660 /sys/class/graphics/fb0/csc_cfg # Dynamic FPS chown radio system /sys/class/lcd/panel/fps_change chmod 0664 /sys/class/lcd/panel/fps_change # Auto Brightness chown system system /sys/class/backlight/panel/auto_brightness chmod 0660 /sys/class/backlight/panel/auto_brightness # Permission for Touchscreen, Touchkey. chown radio system /sys/class/sec/sec_touchkey/touch_sensitivity chown radio system /sys/class/sec/sec_touchkey/touchkey_firm_update chown system radio /sys/class/sec/tsp/cmd chown system radio /sys/class/sec/sec_touchkey/glove_mode chown system radio /sys/class/sec/sec_touchkey/flip_mode chown system system /sys/class/timed_output/vibrator/enable chown system system /sys/class/leds/keyboard-backlight/brightness chown system system /sys/class/leds/lcd-backlight/brightness chown system system /sys/class/leds/button-backlight/brightness chown system system /sys/class/leds/jogball-backlight/brightness chown system system /sys/class/leds/red/brightness chown system system /sys/class/leds/green/brightness chown system system /sys/class/leds/blue/brightness chown system system /sys/class/leds/red/device/grpfreq chown system system /sys/class/leds/red/device/grppwm chown system system /sys/class/leds/red/device/blink chown system system /sys/class/timed_output/vibrator/enable chown system system /sys/module/sco/parameters/disable_esco chown system system /sys/kernel/ipv4/tcp_wmem_min chown system system /sys/kernel/ipv4/tcp_wmem_def chown system system /sys/kernel/ipv4/tcp_wmem_max chown system system /sys/kernel/ipv4/tcp_rmem_min chown system system /sys/kernel/ipv4/tcp_rmem_def chown system system /sys/kernel/ipv4/tcp_rmem_max chown root radio /proc/cmdline # permission for CHARGING chown system radio /sys/class/power_supply/battery/batt_reset_soc chown system radio /sys/class/power_supply/battery/update chown system radio /sys/class/power_supply/battery/factory_mode chown system radio /sys/class/power_supply/battery/batt_slate_mode chown sdcard_rw sdcard_rw /sys/class/power_supply/battery/call chown sdcard_rw sdcard_rw /sys/class/power_supply/battery/video chown sdcard_rw sdcard_rw /sys/class/power_supply/battery/music chown sdcard_rw sdcard_rw /sys/class/power_supply/battery/browser chown sdcard_rw sdcard_rw /sys/class/power_supply/battery/hotspot chown sdcard_rw sdcard_rw /sys/class/power_supply/battery/camera chown system radio /sys/class/power_supply/battery/talk_wcdma chown system radio /sys/class/power_supply/battery/talk_gsm chown system radio /sys/class/power_supply/battery/call chown system radio /sys/class/power_supply/battery/data_call chown system radio /sys/class/power_supply/battery/gps chown system radio /sys/class/power_supply/battery/wifi chown system radio /sys/class/power_supply/battery/lte chown system radio /sys/class/power_supply/battery/wc_enable chown system radio /sys/class/power_supply/battery/lcd chown system radio /sys/class/power_supply/battery/batt_temp_table # Set these so we can remotely update SELinux policy chown system system /sys/fs/selinux/load chown system system /sys/fs/selinux/enforce # Permissions for SSRM chmod 0664 /sys/devices/platform/sec-thermistor/temperature chmod 0664 /sys/class/power_supply/battery/siop_level chmod 0664 /sys/class/power_supply/battery/test_charge_current chown radio system /sys/devices/platform/sec-thermistor/temperature chown radio system /sys/class/power_supply/battery/siop_level chown radio system /sys/class/power_supply/battery/test_charge_current #OTG Test chown system radio /sys/class/host_notify/usb_otg/booster chmod 0660 /sys/class/host_notify/usb_otg/booster #FM Radio chown system audio /dev/fmradio chmod 660 /dev/fmradio #Essential node for usbservice mkdir /dev/bus/ 755 root root mkdir /dev/bus/usb 755 root root # # Accelerometer_sensor chown system radio /sys/class/sensors/accelerometer_sensor/raw_data chown system radio /sys/class/sensors/accelerometer_sensor/calibration chown system radio /sys/class/sensors/accelerometer_sensor/reactive_alert chown system radio /sys/class/sensors/accelerometer_sensor/vendor chown system radio /sys/class/sensors/accelerometer_sensor/name # Grip_sensor chown system radio /sys/class/sensors/grip_sensor/onoff chown system radio /sys/class/sensors/grip_sensor/calibration chown system radio /sys/class/sensors/grip_sensor/raw_data chown system radio /sys/class/sensors/grip_sensor/offset chown system radio /sys/class/sensors/grip_sensor/threshold chown system radio /sys/class/sensors/grip_sensor/name chown system radio /sys/class/sensors/grip_sensor/vendor # Proximity_sensor chown system radio /sys/class/sensors/proximity_sensor/state chown system radio /sys/class/sensors/proximity_sensor/raw_data chown system radio /sys/class/sensors/proximity_sensor/prox_avg chown system radio /sys/class/sensors/proximity_sensor/prox_cal chown system radio /sys/class/sensors/proximity_sensor/vendor chown system radio /sys/class/sensors/proximity_sensor/name chown system radio /sys/class/sensors/proximity_sensor/thresh_high chown system radio /sys/class/sensors/proximity_sensor/thresh_low chown system radio /sys/class/sensors/proximity_sensor/barcode_emul_en # Light_sensor chown system radio /sys/class/sensors/light_sensor/lux chown system radio /sys/class/sensors/light_sensor/raw_data chown system radio /sys/class/sensors/light_sensor/vendor chown system radio /sys/class/sensors/light_sensor/name # Gyro_sensor chown system radio /sys/class/sensors/gyro_sensor/power_on chown system radio /sys/class/sensors/gyro_sensor/power_off chown system radio /sys/class/sensors/gyro_sensor/temperature chown system radio /sys/class/sensors/gyro_sensor/selftest chown system radio /sys/class/sensors/gyro_sensor/selftest_dps chown system radio /sys/class/sensors/gyro_sensor/vendor chown system radio /sys/class/sensors/gyro_sensor/name # Barometer_sensor chown system radio /sys/class/sensors/barometer_sensor/sea_level_pressure chown system radio /sys/class/sensors/barometer_sensor/eeprom_check chown system radio /sys/class/sensors/barometer_sensor/vendor chown system radio /sys/class/sensors/barometer_sensor/name chown system radio /sys/class/sensors/barometer_sensor/calibration # Magnetic_sensor # chown system radio /dev/akm8963 chown system radio /sys/class/sensors/magnetic_sensor/raw_data chown system radio /sys/class/sensors/magnetic_sensor/vendor chown system radio /sys/class/sensors/magnetic_sensor/name # uv_sensor chown system radio /sys/class/sensors/uv_sensor/vendor chown system radio /sys/class/sensors/uv_sensor/name chown system radio /sys/class/sensors/uv_sensor/raw_data chown system radio /sys/class/sensors/uv_sensor/power_on chown system radio /sys/class/sensors/uv_sensor/power_off # Temphumidity_sensor chown system radio /sys/class/sensors/temphumidity_sensor/vendor chown system radio /sys/class/sensors/temphumidity_sensor/name chown system radio /sys/class/sensors/temphumidity_sensor/engine_ver chown system radio /sys/class/sensors/temphumidity_sensor/engine_ver2 chown system radio /sys/class/sensors/temphumidity_sensor/cp_thm chown system radio /sys/class/sensors/temphumidity_sensor/send_accuracy # SensorHub chown system radio /sys/class/sensors/ssp_sensor/enable chown system radio /sys/class/sensors/ssp_sensor/enable_irq chown system radio /sys/class/sensors/ssp_sensor/mcu_rev chown system radio /sys/class/sensors/ssp_sensor/mcu_name chown system radio /sys/class/sensors/ssp_sensor/mcu_test chown system radio /sys/class/sensors/ssp_sensor/mcu_reset chown system radio /sys/class/sensors/ssp_sensor/mcu_update chown system radio /sys/class/sensors/ssp_sensor/mcu_sleep_test chown system radio /sys/class/sensors/ssp_sensor/ori_poll_delay chown system radio /sys/class/sensors/ssp_sensor/mag_poll_delay chown system radio /sys/class/sensors/ssp_sensor/temp_humi_poll_delay # Gesture_sensor chown system radio /sys/class/sensors/gesture_sensor/ir_current chown system radio /sys/class/sensors/gesture_sensor/selftest # Seac Jack chown media system /sys/class/audio/earjack/reselect_jack # IrLed chmod 0660 /dev/ice4_dev chown system system /dev/ice4_dev # NFC_NXP setprop ro.nfc.port "I2C" chmod 0600 /dev/pn544 chown nfc nfc /dev/pn544 # NFC_BROADCOM chmod 0600 /dev/bcm2079x chown nfc nfc /dev/bcm2079x mkdir /data/bcmnfc mkdir /data/bcmnfc/param chmod 0700 /data/bcmnfc chmod 0700 /data/bcmnfc/param chown nfc nfc /data/bcmnfc chown nfc nfc /data/bcmnfc/param # Permissions for Barcode Emul chown system radio /sys/class/sec/sec_barcode_emul/barcode_send chown system radio /sys/class/sec/sec_barcode_emul/barcode_ver_check chown system radio /sys/class/sec/sec_barcode_emul/barcode_led_status # IR_LED chown system radio /sys/class/sec/sec_ir/ir_send chown system radio /sys/class/sec/sec_ir/ir_send_result # Permission for fast dormacy for RIL chown system radio /sys/devices/virtual/sec/bamdmux/waketime # Define TCP buffer sizes for various networks # ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, setprop net.tcp.buffersize.default 4096,87380,704512,4096,16384,110208 setprop net.tcp.buffersize.wifi 524288,1048576,2560000,524288,1048576,2560000 setprop net.tcp.buffersize.lte 524288,1048576,2560000,524288,1048576,2560000 setprop net.tcp.buffersize.umts 4094,87380,704512,4096,16384,110208 setprop net.tcp.buffersize.hspa 4094,87380,704512,4096,16384,262144 setprop net.tcp.buffersize.hsupa 4094,87380,704512,4096,16384,262144 setprop net.tcp.buffersize.hsdpa 4094,87380,704512,4096,16384,262144 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 setprop net.tcp.buffersize.gprs 4092,30000,30000,4096,8760,11680 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 # Assign TCP buffer thresholds to be ceiling value of technology maximums # Increased technology maximums should be reflected here. write /proc/sys/net/core/rmem_max 1048576 write /proc/sys/net/core/wmem_max 2097152 write /sys/block/mmcblk0/queue/scheduler noop class_start core class_start main on nonencrypted class_start late_start on charger mount_all fstab.qcom class_start charger write /sys/devices/system/cpu/cpu1/online 1 write /sys/devices/system/cpu/cpu2/online 1 write /sys/devices/system/cpu/cpu3/online 1 write /sys/module/rpm_resources/enable_low_power/L2_cache 1 write /sys/module/rpm_resources/enable_low_power/pxo 1 write /sys/module/rpm_resources/enable_low_power/vdd_dig 1 write /sys/module/rpm_resources/enable_low_power/vdd_mem 1 write /sys/module/pm_8x60/modes/cpu0/power_collapse/suspend_enabled 1 write /sys/module/pm_8x60/modes/cpu1/power_collapse/suspend_enabled 1 write /sys/module/pm_8x60/modes/cpu2/power_collapse/suspend_enabled 1 write /sys/module/pm_8x60/modes/cpu3/power_collapse/suspend_enabled 1 write /sys/module/pm_8x60/modes/cpu0/standalone_power_collapse/suspend_enabled 1 write /sys/module/pm_8x60/modes/cpu1/standalone_power_collapse/suspend_enabled 1 write /sys/module/pm_8x60/modes/cpu2/standalone_power_collapse/suspend_enabled 1 write /sys/module/pm_8x60/modes/cpu3/standalone_power_collapse/suspend_enabled 1 write /sys/module/pm_8x60/modes/cpu0/standalone_power_collapse/idle_enabled 1 write /sys/module/pm_8x60/modes/cpu1/standalone_power_collapse/idle_enabled 1 write /sys/module/pm_8x60/modes/cpu2/standalone_power_collapse/idle_enabled 1 write /sys/module/pm_8x60/modes/cpu3/standalone_power_collapse/idle_enabled 1 write /sys/module/pm_8x60/modes/cpu0/power_collapse/idle_enabled 0 write /sys/module/pm_8x60/modes/cpu1/power_collapse/idle_enabled 0 write /sys/module/pm_8x60/modes/cpu2/power_collapse/idle_enabled 0 write /sys/module/pm_8x60/modes/cpu3/power_collapse/idle_enabled 0 write /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor "powersave" write /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor "powersave" write /sys/devices/system/cpu/cpu2/cpufreq/scaling_governor "powersave" write /sys/devices/system/cpu/cpu3/cpufreq/scaling_governor "powersave" write /sys/devices/system/cpu/cpu1/online 0 write /sys/devices/system/cpu/cpu2/online 0 write /sys/devices/system/cpu/cpu3/online 0 on property:vold.decrypt=trigger_reset_main class_reset main on property:vold.decrypt=trigger_load_persist_props load_persist_props on property:vold.decrypt=trigger_post_fs_data trigger post-fs-data on property:vold.decrypt=trigger_restart_min_framework class_start main on property:vold.decrypt=trigger_restart_framework class_start main class_start late_start on property:vold.decrypt=trigger_shutdown_framework class_reset late_start class_reset main on property:sys.powerctl=* powerctl ${sys.powerctl} # system server cannot write to /proc/sys files, so proxy it through init on property:sys.sysctl.extra_free_kbytes=* write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} ## Daemon processes to be run by init. ## service ueventd /sbin/ueventd class core critical seclabel u:r:ueventd:s0 service healthd /sbin/healthd class core critical seclabel u:r:healthd:s0 service lpm /system/bin/lpm class charger critical service healthd-charger /sbin/healthd -n class charger critical seclabel u:r:healthd:s0 # Reload SE Android Policy for MDM on property:persist.security.mdm.policy=1 setprop selinux.reload_policy 1 on property:selinux.reload_policy=1 chown system system /sys/fs/selinux/enforce chown -R system system /sys/fs/selinux/booleans chown system system /sys/fs/selinux/commit_pending_bools service console /system/bin/sh class core console disabled user shell group log ## WTL_EDM_START ## EDM AuditLog service edmaudit /system/bin/edmaudit class main user root ## WTL_EDM_END service auditd /system/bin/auditd -k class main seclabel u:r:auditd:s0 disabled oneshot on property:ro.debuggable=1 start console # adbd is controlled via property triggers in init..usb.rc service adbd /sbin/adbd class core socket adbd stream 660 system system disabled seclabel u:r:adbd:s0 # adbd on at boot in emulator on property:ro.kernel.qemu=1 start adbd service servicemanager /system/bin/servicemanager class core user system group system critical onrestart restart healthd onrestart restart zygote onrestart restart media onrestart restart surfaceflinger onrestart restart drm onrestart restart sensorhubservice onrestart restart TvoutService_C service vold /system/bin/vold class core socket vold stream 0660 root mount ioprio be 2 socket dir_enc_report stream 0660 root mount socket epm stream 0660 system system service netd /system/bin/netd class main socket netd stream 0660 root system socket dnsproxyd stream 0660 root inet socket mdns stream 0660 root system service debuggerd /system/bin/debuggerd class main # icd service icd /system/bin/icd class main user system group system log onrestart check_icd oneshot service prepare_param /system/bin/prepare_param.sh /dev/block/platform/msm_sdcc.1/by-name/param class main user root group root seclabel u:r:prepare_param:s0 oneshot service mobex-daemon /system/bin/npsmobex class main user system group system radio inet sdcard_r sdcard_rw media_rw shell service ril-daemon /system/bin/rild class main socket rild stream 660 root radio socket rild-debug stream 660 radio system user root group radio cache inet misc audio log qcom_diag service secril-daemon /system/bin/sec-ril class main user root group radio cache inet misc audio sdcard_rw diag log service DR-daemon /system/bin/ddexe class main user root group system radio inet net_raw service SMD-daemon /system/bin/smdexe class main user root group system radio inet net_raw service BCS-daemon /system/bin/connfwexe class main user root group system radio inet net_raw service SIDESYNC_service /system/bin/ss_conn_daemon class main socket ss_conn_daemon stream 0666 system system user system group inet net_raw service at_distributor /system/bin/at_distributor class late_start user root group radio log service diag_uart_log /system/bin/diag_uart_log class main user root group radio service surfaceflinger /system/bin/surfaceflinger class main user system group graphics drmrpc onrestart restart zygote onrestart restart gsiff_daemon service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server class main socket zygote stream 660 root system onrestart write /sys/android_power/request_state wake onrestart write /sys/power/state on onrestart restart media onrestart restart netd onrestart restart sensorhubservice onrestart restart gsiff_daemon service drm /system/bin/drmserver class main user drm # [ SEC_MM_DRM # fix group system drm inet drmrpc sdcard_r sdcard_rw media_rw radio shell # org # group drm system inet drmrpc # ] service media /system/bin/mediaserver class main user media group system audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm sdcard_rw sdcard_r media_rw shell qcom_diag lgt_gid ioprio rt 4 service powersnd /system/bin/samsungpowersoundplay class main user media group system disabled oneshot service bootanim /system/bin/bootanimation class main user graphics group graphics system disabled oneshot service installd /system/bin/installd class main socket installd stream 600 system system service flash_recovery /system/etc/install-recovery.sh class main seclabel u:r:flash_recovery:s0 oneshot service racoon /system/bin/racoon class main socket racoon stream 600 system system # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. group vpn net_admin inet disabled oneshot # Strongswan VPN service charon /system/bin/charon class main socket charon stream 600 system system # charon will setuid to vpn after getting necessary resources. group vpn net_admin inet disabled oneshot service mtpd /system/bin/mtpd class main socket mtpd stream 600 system system user vpn group vpn net_admin inet net_raw disabled oneshot service keystore /system/bin/keystore /data/misc/keystore class main user keystore group keystore drmrpc system service dumpstate /system/bin/dumpstate -s class main socket dumpstate stream 0660 shell log disabled oneshot # service for TZPR provisioning version check app service scranton_RD /system/bin/scranton_RD class main user root disabled oneshot # insthk service insthk /system/bin/insthk class main user root disabled oneshot # start for TZPR provisioning version check app on property:sys.qseecomd.enable=true start scranton_RD start insthk service sshd /system/bin/start-ssh class main disabled service mdnsd /system/bin/mdnsd class main user mdnsr group inet net_raw socket mdnsd stream 0660 mdnsr inet disabled oneshot on property:init.svc.bootanim=stopped restorecon /data/media restorecon /data/media/obb start auditd start freshsebool service sdumpstate /system/bin/dumpstate -P class main disabled oneshot #sensorhubservice start service sensorhubservice /system/bin/sensorhubservice class main user system group input # bugreport is triggered by holding down volume down, volume up and power service bugreport /system/bin/dumpstate -d -p -B \ -o /data/data/com.android.shell/files/bugreports/bugreport class main disabled oneshot keycodes 114 115 116 # Vibetonz service immvibed /system/bin/immvibed class core user vibe group vibe oneshot # SAMSUNG DRS Service service drsd /system/bin/drsd class main socket drsd stream 600 system system #Knox VPN service ipruleset /system/bin/ipruleset class main group vpn net_admin inet net_raw disabled oneshot #KNOX - SE Android Security Setting Level service freshsebool /system/bin/freshsebool class main user root disabled oneshot # WTL_EDM service createsystemfile /system/bin/createsystemfile class main group system disabled oneshot # icd on property:init.svc.media=restarting check_icd start icd on property:sys.boot_completed=1 write /sys/block/mmcblk0/queue/scheduler cfq